For the past few days I've been keenly following a particular thread on alt.security.scramdisk, a newsgroup that was originally dedicated to the open-source virtual disk volume encryption Scramdisk. As of November 2001, Scramdisk has been superseded by a closed-source version, DriveCrypt.

The question that nowadays troubles most people in this newsgroup is: If you want security, can you trust a closed-source product such as DriveCrypt to securely protect your sensitive data? DriveCrypt includes dozens of enhancements to Scramdisk, but you don't have any longer access to the underlying source-code. The programmer, Shaun Hollingworth, gives his word that there is no backdoor in his product; but would you trust anyone's word to feel secure in protecting your data? As someone at alt.security.scramdisk wisely expressed it: Collective mind is much more effective against programming screw-ups than a single, even very bright mind.

In the Microsoft Windows world, open-source security products such as Scramdisk are rare - this is especially the case if you are looking for products still being updated, which would also work under Windows XP.

My advice has always been to refuse to trust security programs that do not publish the source code.

I also follow this newsgroup, and one user post seems to express exactly what most of us are thinking:

Quote:

> >Shaun Hollingworth wrote:
> >> Not making money, simply earning a living.... Though that seems to be
> >> a crime for some people nowadays..
> >> The source is still out there for Scramdisk. Install it on a Win98/ME
> >> machine and use that...
> >But if we're using 2000/XP that's not an option is it
> No, but the impression I get is that you think I should be obliged to
> provide an open source version of the software....

Not at all.

You can do whatever works best for you.

We're discussing OUR options with respect to available
encryption software.

Since none of the currently available WinXP software is open
source, that discussion is theoretical, at least until such
software becomes available. When and if it does, many of us
will apparently migrate to that.

In the meantime, DriveCrypt issues expiring keys to purchasers;
BestCrypt, Steganos, Dekart, and PGPDisk do not.

In the meantime, DriveCrypt is managed by an individual who's
been convicted of fraud; BestCrypt, Steganos, Dekart, and
PGPDisk (AFAIK) are not. I note a claim on the
SecurStar 'Reference' page that at least one government agency
with which I'm very familiar uses SecurStar products; that
agency, as do most government agencies, explicitly forbids the
use of unapproved, closed source encryption software. You may
have found individual employees of such agencies who use your
products for personal home use, but implying that the agency
involved endorses your software, without any supporting
evidence, is disingenuous at best.

Those aren't very good recommendations for a product that
depends on the "Trust me, I know what I'm doing" model.

Perhaps the biggest warning sign of all is the ``trust us, we
know what we're doing'' message that's either stated directly or
implied by the vendor. If the vendor is concerned about the
security of their system after describing exactly how it works,
it is certainly worthless. Regardless of whether or not they
tell, smart people will be able to figure it out. The bad guys
after your secrets (especially if you are an especially
attractive target, such as a large company, bank, etc.) are not
stupid. They will figure out the flaws. If the vendor won't tell
you exactly and clearly what's going on inside, you can be sure
that they're hiding something, and that the only one to suffer
as a result will be you, the customer.

We are proud to announce that TrueCrypt 1.0 has been released today.
To our best knowledge, it is currently the only free open-source
on-the-fly encryption software capable of encrypting partitions
larger than 2 GB under Windows XP/2000. On Windows XP/2000, it is
also the only open-source on-the-fly encryption system that offers
plausible deniability. It can either encrypt entire partitions or
devices, or it can create virtual encrypted disks within files. TrueCrypt is based on (and might be considered a sequel to) a
discontinued product called Encryption for the Masses (E4M) by Paul
Le Roux. The differences between E4M and TrueCrypt include plausible
deniability, Windows XP support, significant increase in the volume
size limit, improved sector scrambling algorithm and many more.
For more information, please visit http://www.truecrypt.org

CD Format is supported. (This was my main goal so I can read CD's
encryped under linux with windows). You can mount unencrypted iso
images as well (as IE DaemonTools replacement ).

if someone has an idea how to name this project or wants to testdrive it
please let me know..

mfg,
Stefan

PS: maybe I should join forces with the TrueCrypt team, But my goal is
to stay linux compatible. So i can go with ever OS I want without having
to worry.

PPS: It will have a GNU license.

Next Targets:
*) finding a name ...
*) finding some beta testers (please write a email simply remove .news
*) making a small website for faq and so on..
*) making a tool for creating encrypted iso images. ready to burn
*) maybe a gui.
*) implement loop-aes

Now I really wonder what SecurStar & Co are doing next. At least I don't care about them!

Alexander, these are great news. I do miss ScramDisk, though the whole concept of storing really sensitive personal information on anything else than a PDA is nowadays strange for me. Still, one should be able to protect his data also on a PC, which brings me back to the original question. Most people /including myself/ are not programmers. Even if I see the code, I can't understand if it is secure or not. Some people, including us, believe that if it is open source, and no one found anything doubtful - it should be more reliable, than some company's claim that 'everything is OK'. But most users want phone & customer support more than widely tested features. And from this point of view - closed-source single-company product has advantages than open-soure, but not so user-friendly supported one. And the ideal combination is too rare....

Doesn't work for me either. Some people on scramdisk newsgroup were able to download it before the site became unavailable - let's hope it comes back soon or at least that someone at least puts a mirror out.

Most people /including myself/ are not programmers. Even if I see the code, I can't understand if it is secure or not. Some people, including us, believe that if it is open source, and no one found anything doubtful - it should be more reliable, than some company's claim that 'everything is OK'. But most users want phone & customer support more than widely tested features. And from this point of view - closed-source single-company product has advantages than open-soure, but not so user-friendly supported one.

This has been an ongoing discussion on the scramdisk newsgroup, and of course, Drivecrypt (closed-source) - fans have been arguing along these lines.

However, trust me, there are always people who actually review the code of open-source security applications (I am one of them).

Open-source itself might not be the guarantee for an backdoor-/bug-free application - but it is definitely the prerequisite!

In the case of DriveCrypt for example, you have no way of knowing
a) whether it is bug-free (if it contains a nasty bug compromising its security - how would you know?)
b) whether it contains a back-door (I don't give much for promises of a profit company)

OK I know why http://www.truecrypt.org has been unreachable for the past 48 hours. Wilfried Hafner, CEO of SecurStar (Drivecrypt), has been threatening them by legal means! How much I despite SecurStar! Here is the official news:

In the last two days, we have been receiving e-mails from Wilfried
Hafner, manager of SecurStar. In the e-mails he repeatedly accuses
Paul Le Roux, the author of Encryption for the Masses (E4M), of the
following:

These statements have been made to make us stop developing and
distributing TrueCrypt, which is based on E4M 2.02a.

As we have a strong suspicion that these statements are false, we
e-mailed Paul Le Roux and asked him to clear up this issue. Paul, we
would also appreciate if you could post a statement to this newsgroup
and sign it with the PGP key used to sign the archives containing
the original E4M 2.02a source code. The PGP key properties:

3. If you use any of the source code originally by Eric Young, you must
in addition follow his terms and conditions.

4. Nothing requires that you accept this License, as you have not
signed it. However, nothing else grants you permission to modify or
distribute the product or its derivative works.

These actions are prohibited by law if you do not accept this License.

5. If any of these license terms is found to be to broad in scope, and
declared invalid by any court or legal process, you agree that all other
terms shall not be so affected, and shall remain valid and enforceable.

6. THIS PROGRAM IS DISTRIBUTED FREE OF CHARGE, THEREFORE THERE IS NO
WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. UNLESS OTHERWISE
STATED THE PROGRAM IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO
THE
QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.

7. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM, INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS, EVEN IF SUCH HOLDER OR OTHER PARTY HAD PREVIOUSLY BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES.

Disclaimer: IANAL, and it's been a long time since I talked to one about this
sort of thing, so count this as just an opinion:

This would depend on the terms of the license that Paul signed with SecurStar.
From discussions over this many years ago, it's not possible to unilaterally
retroactively change a license in this manner (this is why you'll occasionally
find open-source apps based on formerly freely-available work that's gone
commercial building on really old code that was distributed under a more
liberal license). If the license that Paul signed with SecurStar explicitly
says that it supersedes all previous ones then it'd be more tricky and you'd
need to get a lawyer to look at it. I assume it's also going to be governed
by European law, which may rule out getting a US lawyer to comment on it (for
example Europe has a stronger concept of moral rights than the US, which may
help in this case since it affects an artist's ability to control future use
of their work).

You could always submit it to slashdot and get the peanut gallery's opinion
:-).

Note that supposedly V1.0a is already out; the mirror also doesn't include the source code.

Let's see how long it takes for Truecrypt.org to come back!

V1.0a is essentially the same as V1.0, however without Windows 9x/ME support. They removed the portions of the Windows 9x/ME driver source code by Aman, at his request (Aman = Shaun Hollingworth, creator of Scramdisk and employed at SecurStar).

Also note that you should be careful when you download Truecrypt from a mirror (especially in the case of the binary distribution). It could always contain a worm or virus.